Use your ISPs official DNS so that you get the shortest path possible from the ISPs handoff location to the CDN (and overseas trunks), not a generic DNS that doesn’t know about your ISPs layout.
ISP: 1ms to Cloudflare
Cloudflare: 10ms to Cloudflare
Thank you for your attention to this matter.
Edit: will clarify, this advice applies to countries with good privacy laws and no national surveillance i.e. not the USA
In practice, performance will probably be better overall with a DNS that blocks ad servers.
That’s no good if you want uncensored DNS.
Absolutely this. Parent advice is terrible for the reality of the problem. Shortest path does not equal fastest web page load, especially when you're filtering 99% of the crap from even resolving on your network. 0.0.0.0 is always faster than your ISP fetching extra garbage.
Are these even real countries at this point? Also, it's not even about privacy, AFAIK pretty much any country will try to protect you from accessing something they don't like you to access, and in most cases it's some half-assed attempt to do so, like your ISP's default DNS directing you to some warning page instead of actually opening the website you were going to open. So changing your ISPs DNS to something like 8.8.8.8, while it doesn't necessarily increase privacy, is the first major step to improve your browsing experience.
Cloudflare famously does anycast so the DNS answer you get is the same no matter where you're coming from. Your numbers there can't be attributable to DNS. On the contrary, Cloudflare can short circuit the recursive lookup for any of their properties, providing potential speedups at the resolution stage, and can use eDNS client subnet to route based on where you are if necessary
Anycast DNS doesn’t mean what you think it means.
Your DNS traffic to Cloudflare is routed via anycast. If Cloudflare is sending this DNS query (eg to an authoritative DNS server), the IP address it uses for this is not going to be the anycast one. These IPs are geolocatable and Cloudflare even publishes feeds of their approximate location. The response you get will be geolocated based on the IP that Cloudflare is using to send traffic to the authoritative.
Cloudflare explicitly does not use ECS (the edns extension to provide client subnets to authoritatives): https://developers.cloudflare.com/1.1.1.1/faq/#does-1111-sen...
Changing your DNS does basically bupkis for privacy, since they can still read your DNS queries and SNIs.
If I set my DNS provider to use DoH or DoT, my ISP will no longer see my DNS requests. I'm confident that my ISP doesn't do DPI at scale to extract SNI, so the lack of ECH doesn't break the entirety of the privacy benefit.
The fact that they could perform DPI doesn't change the reality that most ISPs probably aren't doing it, unless mandated by law, because it's expensive and in my main country of residence they can't sell that data to offset the cost.
I'm surprised to see such lack of nuance coming from you.
Big part of why we began pushing for TLS everywhere is that ISPs were doing DPI to inject ads in web pages. There's very real precedent for this stuff, and a real market for selling information on your web habits as well. Besides the obvious value for the spooks.
It's taken a conspicuously long time to even begin to see a solution to the glaring privacy issues with SNI. Even just counting the length of time we've been aware of the problem of SNI being used for censorship and eavesdropping[1], it's over a decade, and ECH's is status is still very experimental in most web server software (and ECH is kind of a janky hack even after how long this has been discussed back and forth, the ESNI debacle, and so on).
[1] https://inria.hal.science/hal-01202712/document
It doesn't fix privacy but it does work around censorship. Has a court or the government ordered your ISP to usurp its enemies' DNS records? If so, you need to talk to a different resolver, not constrained by your government or courts.
> but it does work around censorship
* for the countries/ISPs that don't also hijack all DNS
https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_...
There are gaps depending upon the client configuration, but "bupkis" is simply wrong or horribly obsolete.
Encrypted DNS isn't an "any day now", basically every platform and browser and provider supports it, and 100% of my household's DNS requests are opaque to anyone watching the wire. And basically every system like Cloudflare supports ECH, so SNI isn't a thing for the vast majority of sites.
DoH and ECH fix that
Any moment now...
> Thank you for your attention to this matter.
Had me in stiches